Skip to main content

List of all Roles

The following are all the roles currently supported by Strata Cloud Manager:

RoleUI LabelDescription
adem_tier_1_supportADEM Tier 1 SupportThis role provides access to specific incident remediation workflows for Prisma Access ADEM.
auditorAuditorThis role provides read-only access to functions related to all configuration, including subscriptions and licenses. Assign this role to users or service accounts that need to examine the system for accuracy.
browserBrowserThis role provides access to only the essential features required by Palo Alto Networks UI Applications.
business_adminBusiness AdministratorThis role provides access to all subscription and license management. This role also provides read-only access to other functions, including but not limited to: access policies, service accounts, and tenant service group operations.
data_security_adminData Security AdministratorThis role provides access to all data security functions. In addition, it provides read-only access to logs. This role contains a very small subset of privileges compared to the Security Admin role.
deployment_adminDeployment AdministratorThis role provides access to functions related to deployments. In addition, this role provides read-only access to other functions.
dlp_incident_adminDLP Incident AdministratorThis role provides access to functions related to dlp incident and report. This role also provides read-only access to other functions, including but not limited to: data profile, data filtering profile, data pattern, EDM and OCR settings.
dlp_policy_adminDLP Policy AdministratorThis role provides access to functions related to dlp policy including but not limited to: data profile, data filtering profile, data pattern, EDM and OCR settings.
iam_adminIAM AdministratorThis role provides access to identity and authentication functions. In addition, it provides read-only access to logs. Assign this role to users or service accounts that need to manage users or service accounts.
msp_iam_adminMultitenant IAM AdministratorThis role provides access to identity and authentication functions for all tenants in a multitenant hierarchy. In addition, it provides read-only access to logs.
msp_superuserMultitenant SuperuserThis role provides full read and write access to all functions for all tenants in a multitenant hierarchy. Assign this role only to users or service accounts that need unrestricted access to the MSP portal.
mt_manage_userMultitenant Manage UserThis role provides access to functions related to multitenant management and other common resources.
mt_monitor_userMultitenant Monitor UserThis role provides access to functions related to multitenant monitoring and other common resources.
network_adminNetwork AdministratorThis role provides access to functions related to network configuration. This role also provides read-only access to other functions, including but not limited to: alerts, license quotas, devices, and tenant service group operations.
security_adminSecurity AdministratorThis role provides access to functions related to security policy configuration. This role also provides read-only access to other functions, including but not limited to: alerts, license quotas, devices, and tenant service group operations.
soc_adminSOC AdministratorThis role allows the administrator to assess incidents and remediate risks in SaaS Security. This administrator cannot access SaaS Security API settings or modify policy rules.
soc_analystSOC AnalystThis role provides read-only access to functions related to logs, reports, events, alerts, and all configuration. Assign this role to users or service accounts that need to view and investigate threats and trends.
sspm_appowner_superuserPosture Security AdministratorThis role provides full SSPM functionality but only for the SaaS application(s) that the administrator onboards themselves. It is intended to give IT/SaaS administrators full SSPM read and write access to the SaaS apps they are responsible for.
superuserSuperuserThis role provides full read and write access to all the available system-wide functions. It includes all the permissions of all the other roles, including MSP Superuser. Assign this role only to users or service accounts that need unrestricted access.
tier_1_supportTier 1 SupportThis role provides access to specific incident remediation workflows that update network, security, SD-WAN, GlobalProtect, and device configuration. This role also provides read-only access to other functions.
tier_2_supportTier 2 SupportThis role provides access to specific incident remediation workflows that update network, security, SD-WAN, GlobalProtect, and device configuration. This role also provides read-only access to other functions.
view_only_adminView Only AdministratorRead only access to all functions.
web_security_adminWeb Security AdminThis role provides access to functions related to web security for Prisma Access.